Managing risk on the virtual desktop
The biggest data threats are internal, and encryption is necessary, says Darren Briscoe
Outsourcing BYOD support is an appealing option for many, but a number of managed services providers are not staying close enough to the technology or keeping up with new developments to understand it well enough.
Like many IT departments, service providers are terrified of managing the security risks posed by mobile and tablet devices because they do not know what types of risks virtualised clients actually bring.
If managed services providers expect to grow in the future, they need to understand how to manage virtualised desktop environments and deal with the security risks.
The good news is that it is safer to have virtualised clients on a personal device because the security is taken care of by a centralised cloud server and not managed on a per-device basis.
If something goes wrong, the problem can be addressed quickly by an administrator accessing the central area where all the data is stored.
Furthermore, preventative measures can be put in place before any client virtualisation software is installed to shield data from external attacks.
Among the most effective ways is to invest in a solution such as Cisco's Identity Services Engine. This is an all-in-one enterprise policy control platform that enables organisations to enforce compliance, enhance infrastructure security, and simplify service operations.
It allows users to produce security profiles for different devices – whether it's tablets or mobiles – so they can connect securely to a network.
It is installed at the beginning to eliminate all security problems coming from external threats.
But are these risks exaggerated? Do most businesses actually have data that is sensitive enough to be of any value?
The risk of being hacked by an elite external mafia gang is extremely small for most businesses. Professional hackers and troublemakers generally only go after organisations that store personal data on file and these are usually massive global organisations that have encrypted this data and stored it in a private cloud.
The biggest threats to data are from internal sources. More than 90 per cent of the greatest risks to data, such as malware, viruses and hacking, are through people taking things away on a USB or downloading them to personal devices.
With internal hacking, you cannot just install a piece of software to avoid the problem. It's all about security processes and how to implement policies. That's the biggest risk which is always overlooked.
There is very little that can be done if an inside job has taken place and there is a security breach.
One thing that businesses and government organisations are adhering to at the moment is an unpublished standard called business Impact Levels (ILs). This framework incorporates a seven-point scale outlining what organisations need to do to manage risk, confidentiality and integrity.
Enforcing an IL can help create policies that protect data and possibly even deter people from stealing it – although ultimately it cannot stop all attacks.
Essentially, the onus is always on the organisation to have the right level of encryption to protect data.
Virtualisation is already here and soon most desktops will be part of that environment. To speed up adoption, vendors such as Microsoft are even starting to give away virtual clients free of charge – and the trend will only continue.
If managed services providers and IT departments are to stay in tune with this innovation, they need to understand the risks and encourage end users to encrypt data.
Darren Briscoe is technical director at Comms-care